Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

Facebook updates bug disclosure policy

Facebook has revised its vulnerability disclosure policy in hopes of making researchers more willing to come forward with information.

The updated policy is intended to make researchers more comfortable about disclosing a security bug to Facebook, without the fear of being sued by the social networking giant.

Facebook traditionally has encouraged researchers who discover a possible security problem on the site to follow “responsible disclosure” practices, by directly notifying the company of the issue. The submitter then should allow Facebook time to investigate and fix the problem before going public with details.

However, the previous version of the policy could have led some to believe that Facebook reserved the right to sue bug finders, company spokesman Simon Axten told SCMagazineUS.com in an email Monday.

“This wasn't our intention, and so we've changed it to read less strictly,” he said.

The policy now reads: “If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research."

Many other software and hardware providers try to deal with security flaws internally and do not encourage researchers to report issues, Marcia Hofmann, senior staff attorney at the EFF, said in a blog post Friday. As a result, researchers are often deterred from reporting such issues to companies out of fear of prosecution.

“We hope to see others follow Facebook's lead and go even further,” Hoffman wrote. “The more transparent companies are about their approaches to vulnerability disclosure — and the more they encourage users to come forward — the more often they will learn about problems that need to be fixed.”

Such transparency will ultimately lead to better and more secure services, she said.

The ongoing debate over responsible disclosure gained steam this year when a Google researcher publicly released details about a Windows vulnerability after he was unable to negotiate a timeline for a fix with Microsoft.

Not long after, Microsoft announced a new initiative, known as coordinated vulnerability disclosure, that seeks to align efforts between researchers and vendors.

Google also chimed in, issuing new guidelines that call for vendors to patch bugs within at most 60 days. If they fail to meet an agreed-upon deadline, or if they fail to address the issue, the researcher has the right to publicly disclose details about the vulnerability in question.

Meanwhile, some vendors, such as Google and Mozilla, go so far as to provide researchers cash rewards for vulnerability disclosures, a practice that has garnered mixed reactions among the security community.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.